Back to skill

Security audit

OpenClaw技能分类与统计

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local OpenClaw skill inventory and report generator, with some implementation risks but no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable with a local tool reading your OpenClaw skill inventory and writing reports/cache files under your user profile. Prefer the modular generate_skill_list.py path, and be cautious opening generated HTML reports if you have untrusted skills installed, because skill metadata is rendered as HTML. The shell calls should ideally be hardened, but the observed behavior is consistent with local inventory reporting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    for attempt in range(max_retries):
        try:
            result = subprocess.run(
                'openclaw skills list --json',
                capture_output=True,
                text=True,
Confidence
93% confidence
Finding
result = subprocess.run( 'openclaw skills list --json', capture_output=True, text=True, encoding='utf-8', ti

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
def generate_markdown(skills, title):
    """生成 Markdown 文档"""
    md = f"# {title}\n\n"
    md += f"> 生成时间: {os.popen('powershell -Command Get-Date').read().strip()}\n\n"
    
    # 统计信息
    md += f"## 概览\n\n"
Confidence
94% confidence
Finding
md += f"> 生成时间: {os.popen('powershell -Command Get-Date').read().strip()}\n\n"

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises capabilities consistent with environment access, filesystem read/write, and shell usage, but does not declare any permissions. That mismatch undermines least-privilege review and can cause operators to authorize or run a skill without understanding it can inspect local files, modify outputs, or invoke commands. In a repository-scanning/classification tool, these capabilities are contextually plausible, but they still expand the blast radius if the implementation is compromised or behaves unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The generated page inserts untrusted skill fields such as name, version, category, and description into row.innerHTML. Even though the values are JSON-encoded into the script block, they are still later interpreted as HTML, so a crafted skill value like an image tag with an event handler can execute JavaScript when the exported HTML is opened. In this context the exporter processes many external skill metadata entries, which increases the chance that attacker-controlled content reaches the report.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
Using a shell command solely to obtain the current date/time is unjustified capability for a reporting tool and introduces an avoidable command-execution surface. In a user environment, this can be abused through PATH/binary hijacking or by normalizing shell use in code that processes local user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises automatic translation as a feature but provides no indication of how text is processed, whether content is sent to a third-party service, or what data may leave the local environment. In a skill that scans other skills and their metadata, this can expose potentially sensitive descriptions or content without the user's informed consent.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Presenting English-to-Chinese translation as an automatic default behavior implies user content may be transformed and possibly transmitted externally without explicit language or privacy consent. Because this tool enumerates and classifies installed skills, the translated content may include proprietary or sensitive text, making silent default processing more risky in this context.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate_skill_list.py:314